Again, the dangerous part isn't holding it hostage, it's what they can do to it without you noticing. They can intercept all your network traffic, redirect websites you visit to a server they control, etc.

If you have a hard drive plugged into your router, they can perform the same crypto-lock attack being discussed here. They can also use your router to launch attacks against the rest of your hardware.

If modern routers are delegated to router duty only, this wouldn't be a problem. However, routers these days are for all intents and purposes, specialised home servers with shared media streaming and the like as well. These are value-added functionalities ISPs use to entice new users and I'm sure a fair number of them use these to store photos, connect their USB drives - mine is also a print server for use with non-wifi network printers.